Progress on Automotive Cyber Security, but Still Much to Do

When I joined Guidehouse Insights two years ago, I sat down on my first day and wrote a post on this blog about automotive cyber security. At that point, most of the industry was still largely refusing to acknowledge that cyber security was even something to be concerned about. Things have changed quite dramatically since then, but there is still a long way to go, as recent news shows.

All of the major automakers except for Tesla have come together to establish the Automotive Information Sharing and Analysis Center (Auto-ISAC). Like ISACs in other industries, the Auto-ISAC provides a mechanism for manufacturers to share non-competitive information about security threats and collaborate on understanding and correcting these vulnerabilities. Since the Auto-ISAC started operations at the end of 2015, it has also begun to add suppliers to its member ranks.

Developing Best Practices

At the recent Billington Automotive Cybersecurity summit in Detroit, the Auto-ISAC announced the development of a set of cyber security best practices for the industry. Industry executives and regulators—including General Motors CEO Mary Barra, National Highway Traffic Safety Administration director Mark Rosekind, and Secretary of Transportation Anthony Foxx—discussed the importance of designing for cyber security and what is being done to address threats.

In August of 2014, Tesla was taking the lead on hiring white hat hackers to work on security from inside, and other companies are now doing the same. Tesla, GM, and Fiat Chrysler Automobiles have all established responsible disclosure programs that provide a means for researchers to submit information about vulnerabilities they have discovered.

A pair of Silicon Valley startups, HackerOne and Bugcrowd, have developed platforms for submission and vetting of vulnerability disclosures that are used by these automakers as well as dozens of other technology companies. Bugcrowd has also developed a reputation system for researchers that submit vulnerability information and works with client companies to select groups of white hat hackers to conduct pre-release testing on new products.

Numerous startups including Karamba Security, Argus Cyber Security, and TowerSec have popped up in recent years to develop both hardware and software solutions to help detect and stop intrusions from malicious attackers. Since everyone familiar with cyber security acknowledges that no complex system can ever be guaranteed as secure, manufacturers are also working on resilience to keep vehicles safe in the event of an attack and be able to update them quickly after vulnerabilities are found.

Guidehouse Insights’ Automotive Cyber Security report projects that by 2025, more than 45 million vehicles annually will have telematics capabilities that enable over-the-air software updates, just as Tesla does today on its vehicles.

Vulnerabilities Continue

Despite the progress, recent news shows that there is still much work to be done on existing vehicles. In Houston, Texas, a pair of car thieves have been arrested after stealing 30 Jeeps in 6 months by hacking the vehicles’ ignition systems with a computer. Charlie Miller and Chris Valasek have again hacked a vehicle, taking control of the steering and brakes. After FCA corrected the vulnerability that enabled last year’s remote hack, they connected a computer through the onboard diagnostic port this time.

Yet another group of researchers have even demonstrated how a signal generator could be used to provide false reflections and fool the radar sensor of a Tesla with its AutoPilot driver assist active.

There will be undoubtedly be many more such demonstrations in the coming years as vehicles get more sensors, more connectivity, and more automation. From here on out, the industry can no longer afford to relax and will have to remain vigilant and ready to respond quickly to threats. Fortunately, they seem to be doing just that.